Alma Whitten Making Security Usable Degree Type: Ph.D. in Computer Science Advisor(s): Doug Tygar Graduated: May 2004 Abstract: Usability remains one of the most pressing and challenging problems for computer security. Despite widespread recognition of the damage that results from configuration errors and other user misunderstandings, little progress has been made toward making verifiably usable security a reality. In this dissertation, we propose that the usability problem for security is difficult to solve precisely because security presents qualitatively different types of usability challenges from those of other types of software, and suggest that making security usable will require the creation of user interface design methods that address those challenges. We begin by presenting an analysis of security as a usability domain. Our analysis is founded on the identification of five characteristics of computer security which distinguish the problem of creating usable security from the general problem of creating usable consumer software. Working from those characteristics, we establish a set of guidelines for determining when security can safely be automated and hidden from the user versus when it must be made visible and usable. We argue for a design philosophy that considers the benefits of presenting a security mechanism as a general purpose tool rather than an application specific appliance, and discuss some of the additional ethical and pragmatic issues raised by questions of visibility. Our analysis concludes with the identification of a design principle for usable security, well-in-advance, that stands in contrast to the general user interface design practice of providing just-in-time information. In order to ground our analysis with some empirical data, we describe a case study that we conducted using PGP 5.0 for the Apple Macintosh. PGP is a commercial product for adding cryptographic security to electronic mail. Marketing literature for PGP 5.0 claimed that its user interface had been substantially improved and was highly usable, and it was often mentioned in the security community as an example of a good user interface for a security program. We agreed that the PGP 5.0 user interface appeared good by conventional standards, but suspected that it would fail to meet the special challenges posed by security. A cognitive walkthrough analysis and an extensive user test demonstrated that this was indeed the case. We next present two specialized user interface design techniques that we have developed. Safe staging is founded on the well-in-advance principle, and combines the concept of staged user interfaces with a safety template derived from established standards for consumer product warning labels, resulting in a technique for designing user interfaces that allow users to safely and consciously postpone learning about the use of particular security mechanisms until they decide they are ready to do so. Metaphor tailoring uses conceptual model specifications that have been augmented with security risk information to create visual representations of security mechanisms and data that incorporate as many desirable visual cues as possible. We demonstrate the use of both these techniques by applying them to the design of a user interface for a hypothetical secure electronic mail program called Lime. To evaluate the success of our techniques as represented in our user interface design, we first performed comparative user tests using paper presentations. Two versions of these tests were conducted, each using three presentation variants. The first version of the test was designed to compare a design that used safe staging to present the mechanism of key certification against two other variants that did not use staging. This version yielded a strong positive result for staging: 45% participant success versus 10% and 0% for the unstaged variants. The second version of the test was designed to compare two variants of the tailored metaphors used to present public key cryptography in Lime against the standard images used in PGP 5.0. This test was judged to be a failure due to a problem in the test design, and did not yield useful results. For the next part of our evaluation, we created a complete working software implementation of the Lime design, with simulated cryptographic and electronic mail functionality, and used it to conduct an extensive user test. Results from this test were good: not only were nearly all participants were able to use the basic cryptographic functions successfully and appropriately, but most were also able to make appropriate use of key certification, which is one of the most difficult cryptographic concepts to make usable. The combined results of the first comparative test and the software user test support our thesis that it is possible to make security usable for general consumer software, when user interface design techniques developed for the specific needs of security are used. Keywords: Security, privacy, usability, cryptography, user interfaces, learnability, electronic mail, conceptual models, visual metaphors, scaffolding, metaphor tailoring, safe staging